Multi Factor Authentication Providers

SecureMFA ADFS OTP Provider

OTP authentication for Microsoft ADFS. It is a module for Microsoft ADFS 2022 , ADFS 2019 or ADFS 2016 servers. It enables ADFS servers to provide multi-factor authentication (MFA) using a Time-Based One-Time Password (TOTP) Algorithm based on RFC6238. Using this MFA provider, users must enter a one-time passcode generated on their phones via authenticator applications like Microsoft Authenticator, Google Authenticator, Symantec VIP, etc., to complete second-factor authentication logon.

Product details and information on how to deploy the latest SecureMFA Time-base One-Time Pass-code provider for ADFS

Features

  • OTP passcodes for unlimited user accounts.

  • OTP user accounts deactivation

  • OTP data storage in MS SQL service

  • Self-registration with QR code (using free Microsoft Authentication, Google Authentication, Symantec VIP etc. mobile apps)

  • Logs in Windows Applications Log

  • ADFS 2016 / ADFS 2019 / ADFS 2022 support

  • Support of ADFS CSS themes

  • OTP data storage in MS Active Directory attributes or MS SQL Service

  • OTP account lockout feature.

  • OTP validity length can be customised

  • OTP Setup Bypass feature

  • Time skew support for OTP clients

  • QR secrets encryption with AES 256-bit encryption.

  • Configuration of network locations (IPv4 and IPv6) from which user can scan QR code.

  • Offline QR code generator (Integrated into adapter)

  • QR code customizations. (Advanced configuration)

  • User interface customizations

  • Free version notes are removed

  • Support of ADDS multi-forests trust relationships

Requirements

    • Users must deploy the solution on each of the ADFS servers (not on Proxy Servers).

    • Requires MS Framework 4.6.1 or later.

SecureMFA ADFS API OTP Provider

OTP authentication for Microsoft Active Directory Federation Service (ADFS). It enables ADFS servers to provide multi-factor authentication (MFA) using a Time-Based One-Time Password (TOTP) Algorithm based on RFC6238. Using this MFA provider, users must enter a one-time passcode to complete a second-factor authentication login process. OTP code is delivered via 3rd party provider’s API Gateway endpoint using HTTP POST. Managed API Gateway service is provided by vendors like Amazon (AWS SNS), Microsoft (Azure API Management) etc.

Product details and information on how to deploy the latest SecureMFA API OTP Provider for ADFS

Features

  • OTP passcodes for unlimited user accounts

  • OTP codes delivery via 3rd party provider’s API endpoint (Message delivery with: SMS, E-MAIL, Phone etc.)

  • OTP user accounts deactivation

  • Logs in Windows Applications Log

  • ADFS 2016 / ADFS 2019 / ADFS 2022 support

  • Proxy configuration

  • Support of ADFS CSS themes

  • OTP data storage in MS SQL service

  • OTP data storage in MS Active Directory attributes

  • OTP account lockout

  • Send API parameters in a message body

  • API Custom AD attributes in POST message

  • Customization for POST data values when sending into API endpoint

  • Authentication against API endpoint

  • QR code encryption with AES 256-bit encryption

  • User interface customizations

  • Free version notes are removed

  • Support of ADDS multi-forests trust relationships

Requirements

    • Users must deploy the solution on each of the ADFS servers (not on Proxy Servers).

    • Requires MS Framework 4.6.1 or later.

SecureMFA ADFS Email OTP Provider

OTP authentication for Microsoft Active Directory Federation Service (ADFS). It enables ADFS servers to provide multi-factor authentication (MFA) using a Time-Based One-Time Password (TOTP) Algorithm based on RFC6238. Using this MFA provider, users must enter a one-time passcode to complete a second-factor authentication login process. OTP code is delivered using SMTP service.

Product details and information on how to deploy the latest SecureMFA Email Time Based OTP Provider for ADFS

Features

  • Multi-language UI: English, Spanish, French, German, Chinese, Portuguese, Russian, Italian, Arabic, Turkish, Dutch, Finnish, Swedish, Norwegian, Polish, Danish and Lithuanian.

  • OTP passcodes for unlimited user accounts

  • OTP codes delivery using SMTP service

  • OTP user accounts deactivation

  • OTP data storage in MS SQL service

  • Logs in Windows Applications Log

  • ADFS 2016 / ADFS 2019 / ADFS 2022 support

  • Support of ADFS CSS themes

  • OTP data storage in MS Active Directory attributes or MS SQL Service

  • OTP account lockout

  • OTP validity length can be customised

  • SSL and user authentication support for SMTP service

  • Secrets encryption with AES 256-bit encryption

  • Domain restrictions to receive OTP codes

  • User interface customizations

  • Free version notes are removed

  • Free version notes are removed

Requirements

    • Users must deploy the solution on each of the ADFS servers (not on Proxy Servers).

    • Requires MS Framework 4.6.1 or later.

SecureMFA ADFS Threat Detection Module

Threat Detection Module for Microsoft Active Directory Federation Service (ADFS). The module allows or blocks user authentication requests at the point where the user provides the credentials but before AD FS evaluates them. The module leverages the user risk level determined by Azure AD Identity Protection to block or allow authentication for the user based on the user’s risk score. It allows to blocks authentication requests for risky IPs when AD FS receives the authentication request before the user enters credentials. The module once registered with AD FS runs in line with AD FS authentication process.

Product details and information on how to deploy the latest SecureMFA Threat Detection Module

Features

  • User risk assessment for unlimited user accounts using Azure Identity Protection risk scores.

  • Performance optimised API queries for Azure Identity Protection lookups.

  • Block or Allow request received from extranet IPs (Multiple network ranges)

  • Block or Allow request received from intranet IPs (Multiple network ranges)

  • Logs in Windows Applications Log

  • ADFS 2019 / ADFS 2022 support

  • Proxy configuration for Azure API requests

  • Support of ADFS CSS themes


Requirements (When using user risk assessment feature with Azure Identity Protection)

  • AD FS 2019 or later

  • Synchronize AD (on-prem) users with Azure AD using synchronization tools such as Azure AD Connect

  • Azure AD Premium P2 license to be able to call riskyUser API (https://graph.microsoft.com/beta/riskyUsers)

  • Configure additional authentication method for AD FS such as “SecureMFA OTP”

  • .NET Framework 4.7.2 and above

SecureMFA RD Gateway OTP Provider

RD Gateway MFA provider. It is an OTP authentication module for Microsoft Remote Desktop Gateway servers (Windows 2022 / 2019 / 2016). It provides multi-factor authentication for RDS Farms and Remote Desktop Service access using a Time-Based One-Time Password (TOTP) Algorithm. TOTP Algorithm details can be found in RFC6238. Using this MFA provider, users must enter a one-time passcode generated on their phones via authenticator applications like Microsoft Authenticator, Google Authenticator, Symantec VIP, etc., to complete second-factor authentication logon. This module fully replaces native RD Gateway Client Authentication Policies (CAP) with OTP codes and fully integrates with native RD Gateway Resource Authorization Policies (RAP) for access and control management. More details on how RD Gateway API works can be found in MSDN Article.

Product details and information on how to deploy the latest SecureMFA RD Gateway OTP Authnetication Provider for Microsoft RD Gateway Service

Features

    • OTP passcodes for unlimited user accounts

    • OTP account lockout

    • QR code secrets decryption with AES 256-bit encryption

    • OTP data storage in MS SQL service

    • OTP user accounts deactivation

    • Integrates with native Microsoft RD Gateway resource authorization policies (RAP)

    • Logs in Windows Applications Log

    • Supported on Windows 2016 / 2019 / 2022 servers

    • Web Portal which allows to initiate RDP connection using a web browser

Requirements

    • Solution must be deployed on working RD Gateway Server.

    • Requires MS Framework 4.6.1 or later.

Limitations

    • You cannot configure an RD Gateway server to simultaneously use both native authentication and SecureMFA RD Gateway OTP authentication provider.

SecureMFA MS Windows OTP Provider

SecureMFA WIN Authentication Provider is a wrapping of TOTP authentication onto a native windows authentication provider. It allows requesting users to enter a one-time passcode generated on their phones via authenticator applications like Microsoft Authenticator, Google Authenticator, Symantec VIP, etc., as second-factor authentication in addition to their windows password. Windows MFA provider works with standalone and domain-joined workstations or servers. The provider is developed by using Windows authentication plug-in architecture.

Product details and information on how to deploy the latest SecureMFA WIN OTP Authnetication Provider for Windows

Features

    • TOTP code validation for unlimited user accounts

    • TOTP API message decryption with custom AES 256-bit encryption key.

    • “Change Password” link to Self-service password portal (SSPR) URL.

    • Header authentication against API endpoint.

    • API response message protection against replay or tampering.

    • TOTP Offline authentication.

    • TOTP account lockout feature.

Requirements

    • SecureMFA WIN Authentication Provider supports Windows x64 platforms only.

    • Servers OS minimal version must be Windows 2016

    • Client OS minimal version must be Windows 10

Self-service password reset portal (SSPR with MFA)

The self-service password reset portal allows to reset, change and unlock Active Directory accounts. The portal enforces multi-factor authentication to verify a user’s identity. Users must enter a one-time passcode, which is generated on their phones via authenticator applications like Microsoft Authenticator, Google Authenticator, Symantec VIP, etc. Second-factor authentication will be the user’s password challenge or authorization token received via email. Portal supports role-based access controls (RBAC) and multiple domain profiles.

Product details and information on how to deploy the latest SecureMFA SSPR Portal

Features

  • Password unlock/change/reset for unlimited Active Directory user accounts.

  • Active Directory access via integrated authentication or LDAP.

  • Multiple LDAP servers for resilient configuration.

  • Multiple profiles to access to unlimited Domains.

  • Password Change/Reset honors Active Directory password history and complexity policies.

  • Role base access to unlock/change/reset workflows.

  • Multi factor authentication.

  • TOTP authentication is used for first factor authentication.

  • OTP account deactivation.

  • OTP account lockout feature.

  • OTP data storage in MS Active Directory attributes or MS SQL Service.

  • OTP account secrets encryption with AES 256-bit encryption.

  • Active Directory user password challenge for second factor authentication.

  • Email Authorization code for password reset workflow.

  • Unlimited email authorization codes.

  • Email authorization codes validity length customization.

  • Configuration of whitelist of domains to receive authorization code.

  • Configuration of subnets from which unlock/change/reset workflows can be executed.

  • Logs in Windows Applications Log.

  • Allows UI interface branding using CSS theme and logo image.

  • API interface.

Requirements

  • IIS 10 or above.

  • OS with Windows x64 architecture.

  • ASP.NET Core 3.1 Runtime (minimum v3.1.10).